• Advisory ID: DRUPAL-SA-CONTRIB-2009-070
  • Project: Shibboleth authentication (third-party module)
  • Version: 6.x, 5.x
  • Date: 2009-October-14
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Impersonation, privilege escalation

Description

The Shibboleth authentication module provides user authentication and authorisation based on the Shibboleth Web Single Sign-on system.

The module does not properly handle the changes of the underlying Shibboleth session. This can result in impersonation and possible privilege escalation if a user leaves the browser unattended (ie. after SAML2 Single Logout). A person using the same browser session but re-authenticated at their IdP might become logged in as the original user (even accidentally). Dynamic roles which are provided by the module are based on the attributes of the new user, however any permissions statically granted to the victim would still be in effect.

Versions affected

  • Shibboleth authentication versions for Drupal 6.x prior to 6.x-3.2
  • Shibboleth authentication versions for Drupal 5.x prior to 5.x-3.4

Drupal core is not affected. If you do not use the contributed Shibboleth authentication module, there is nothing you need to do.

Solution

Upgrade to the latest version:

  • If you use Shibboleth authentication for Drupal 6.x upgrade to version 6.x-3.2
  • If you use Shibboleth authentication for Drupal 5.x upgrade to version 5.x-3.4

See also the Shibboleth authentication project page.

Reported by

Kristof Bajnok, Shibboleth authentication module maintainer.

Fixed by

Kristof Bajnok, Shibboleth authentication module maintainer.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.